General

  • Target

    59c39e77c1aa947761edf957d79390c8_JaffaCakes118

  • Size

    664KB

  • Sample

    241018-241g4stbqe

  • MD5

    59c39e77c1aa947761edf957d79390c8

  • SHA1

    d17bf1a2587b20fc6dbab6d8c4eaed0c14054178

  • SHA256

    66664b8805b5a084925ac565d2a96dafdf9bbae63020623625d542d7a0131072

  • SHA512

    c30dcff0498c902c8ce4666562f7a09351db6b13f70a2c814b5ac40c1fb17bb624773df5c8c6939ba2f2355377c1abe32ace383babeec153d4122aba4e230262

  • SSDEEP

    12288:B05Rq34RNtJRbdbRrBERq34RNtJRbdbR:uRc4RNtJRbdFrGRc4RNtJRbdF

Malware Config

Extracted

Family

xtremerat

C2

amir.no-ip.info

amir1.no-ip.info

Targets

    • Target

      59c39e77c1aa947761edf957d79390c8_JaffaCakes118

    • Size

      664KB

    • MD5

      59c39e77c1aa947761edf957d79390c8

    • SHA1

      d17bf1a2587b20fc6dbab6d8c4eaed0c14054178

    • SHA256

      66664b8805b5a084925ac565d2a96dafdf9bbae63020623625d542d7a0131072

    • SHA512

      c30dcff0498c902c8ce4666562f7a09351db6b13f70a2c814b5ac40c1fb17bb624773df5c8c6939ba2f2355377c1abe32ace383babeec153d4122aba4e230262

    • SSDEEP

      12288:B05Rq34RNtJRbdbRrBERq34RNtJRbdbR:uRc4RNtJRbdFrGRc4RNtJRbdF

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks